AppArmor

network rules not enforced

Bug #1456059 reported by 666threesixes666
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Invalid
Undecided
Unassigned

Bug Description

vanilla kernel.org 4.0.2:
apparmor 2.8.4:

/etc/init.d/apparmor restart
 * Stopping AppArmor ...
 * Unloading AppArmor profiles [ ok ]
 * Starting AppArmor ...
 * Loading AppArmor profiles ...
Warning from /etc/apparmor.d/bin.ping (/etc/apparmor.d/bin.ping line 28): profile /{usr/,}bin/ping network rules not enforced
Warning from /etc/apparmor.d/sbin.klogd (/etc/apparmor.d/sbin.klogd line 36): profile /sbin/klogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslogd (/etc/apparmor.d/sbin.syslogd line 41): profile /sbin/syslogd network rules not enforced
Warning from /etc/apparmor.d/sbin.syslog-ng (/etc/apparmor.d/sbin.syslog-ng line 55): profile /sbin/syslog-ng network rules not enforced
Warning from /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 (/etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 line 80): profile /usr/lib/apache2/mpm-prefork/apache2 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 (/etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 line 80): profile DEFAULT_URI network rules not enforced
Warning from /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 (/etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 line 80): profile HANDLING_UNTRUSTED_INPUT network rules not enforced
Warning from /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 (/etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 line 80): profile phpsysinfo network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.deliver (/etc/apparmor.d/usr.lib.dovecot.deliver line 29): profile /usr/lib/dovecot/deliver network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.dovecot-auth (/etc/apparmor.d/usr.lib.dovecot.dovecot-auth line 23): profile /usr/lib/dovecot/dovecot-auth network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap (/etc/apparmor.d/usr.lib.dovecot.imap line 27): profile /usr/lib/dovecot/imap network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.imap-login (/etc/apparmor.d/usr.lib.dovecot.imap-login line 23): profile /usr/lib/dovecot/imap-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.managesieve-login (/etc/apparmor.d/usr.lib.dovecot.managesieve-login line 22): profile /usr/lib/dovecot/managesieve-login network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3 (/etc/apparmor.d/usr.lib.dovecot.pop3 line 23): profile /usr/lib/dovecot/pop3 network rules not enforced
Warning from /etc/apparmor.d/usr.lib.dovecot.pop3-login (/etc/apparmor.d/usr.lib.dovecot.pop3-login line 21): profile /usr/lib/dovecot/pop3-login network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.avahi-daemon (/etc/apparmor.d/usr.sbin.avahi-daemon line 31): profile /usr/sbin/avahi-daemon network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dnsmasq (/etc/apparmor.d/usr.sbin.dnsmasq line 69): profile /usr/sbin/dnsmasq network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.dovecot (/etc/apparmor.d/usr.sbin.dovecot line 42): profile /usr/sbin/dovecot network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.identd (/etc/apparmor.d/usr.sbin.identd line 31): profile /usr/sbin/identd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.mdnsd (/etc/apparmor.d/usr.sbin.mdnsd line 35): profile /usr/sbin/mdnsd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nmbd (/etc/apparmor.d/usr.sbin.nmbd line 29): profile /usr/sbin/nmbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.nscd (/etc/apparmor.d/usr.sbin.nscd line 50): profile /usr/sbin/nscd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.ntpd (/etc/apparmor.d/usr.sbin.ntpd line 77): profile /usr/sbin/ntpd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.smbd (/etc/apparmor.d/usr.sbin.smbd line 57): profile /usr/sbin/smbd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.smbldap-useradd (/etc/apparmor.d/usr.sbin.smbldap-useradd line 38): profile /usr/sbin/smbldap-useradd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.smbldap-useradd (/etc/apparmor.d/usr.sbin.smbldap-useradd line 38): profile /etc/init.d/nscd network rules not enforced
Warning from /etc/apparmor.d/usr.sbin.traceroute (/etc/apparmor.d/usr.sbin.traceroute line 29): profile /usr/{sbin/traceroute,bin/traceroute.db} network rules not enforced

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I believe the networking mediation is only in the Ubuntu kernels at this moment; there is a chance they are also in e.g. the openSUSE and SLES kernels, but I have not verified for myself.

We're working on getting these features into upstream kernels but it is a slow process.

Thanks

Changed in apparmor:
status: New → Invalid
information type: Private Security → Public
Revision history for this message
L29Ah (zl29ah) wrote :

Is there a bug/issue/list that tracks the upstreaming process?

Revision history for this message
Vincas Dargis (talkless) wrote :

I do not know if there is a bug for that, but I see there are commit for "apparmor: add base infastructure for socket mediation" in apparmor-next branch:

https://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor.git/log/?h=apparmor-next

It tried to enter upstream with 4.14 IIRC, but was reverted due to some issues.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.